Spotlight7573 @ Spotlight7573 @lemmy.world

Posts

7

Comments

265

Joined

2 yr. ago

Laws can very well be wrong, in a moral sense, and quite a few of them still in existence today are, but trying to argue that in court is usually a bad idea.

https://fingfx.thomsonreuters.com/gfx/legaldocs/lbvggjmzovq/internetarchive.pdf

[IA] professes to perform the traditional function of a library by lending only limited numbers of these works at a time through “Controlled Digital Lending,” .... CDL’s central tenet, according to a September 2018 Statement and White Paper by a group of librarians, is that an entity that owns a physical book can scan that book and “circulate [the] digitized title in place of [the] physical one in a controlled manner.” .... CDL’s most critical component is a one-to-one “owned to loaned ratio.” Id. Thus, a library or organization that practices CDL will seek to “only loan simultaneously the number of copies that it has legitimately acquired.”

...

Judging itself “uniquely positioned to be able to address this problem quickly and efficiently,” on March 24, 2020, IA launched what it called the National Emergency Library (“NEL”), intending it to “run through June 30, 2020, or the end of the US national emergency, whichever is later.” .... During the NEL, IA lifted the technical controls enforcing its one-to-one owned-to-loaned ratio and allowed up to ten thousand patrons at a time to borrow each ebook on the Website.

[...]

The Publishers have established a prima facie case of copyright infringement.

First, the Publishers hold exclusive publishing rights in the Works in Suit ...

Second, IA copied the entire Works in Suit without the Publishers’ permission. Specifically, IA does not dispute that it violated the Publishers’ reproduction rights, by creating copies of the Works in Suit ... ; the Publishers’ rights to prepare derivative works, by “recasting” the Publishers’ print books into ebooks ...; the Publishers’ public performance rights, through the “read aloud” function on IA’s Website ...; and the publishers’ display rights, by showing the Works in Suit to users through IA’s in-browser viewer

Bold added.

It's pretty much not in dispute that Internet Archive distributed the copyrighted works of the publishers without permission, outside of what even a traditional library lending system would allow.

To do that they need to make sure they have adequate funding and make sure they don't incur some huge financial liabilities somehow. The Internet Archive failed at that last part when they decided to lend out ebooks that are under copyright without many limits (and potentially with their Great 78 Project regarding music as well).

Internet Archive's other projects like the Wayback Machine may be good but how they handled their digital lending of books during the pandemic was not. They removed the limit on the number of people that can borrow a book at a time, thus taking away any resemblance to traditional physical lending. You can argue that copyright laws are bad and should be changed (and I'd agree) but that doesn't change the facts of what happened under the current law.

Google has a dominant position in the advertising industry with AdSense and their other advertising-related products. Google also has a dominant position in the browser market with Chrome. Google can't use that dominant position in the browser industry to make changes to their browser that would negatively affect their competitors in the advertising industry without consulting competition authorities which are trying to make sure they aren't intentionally harming their competition in the ad market using their dominance in another market (the browser market) to benefit themselves. Firefox is small enough (and generally doesn't have any other services they could leverage) that they can just make changes to their browser without running afoul of any competition concerns.

There's also the advantage that Google has when it comes to the large number of popular first party services they have, like Gmail, Search, YouTube, etc. Using those services alone, they may be able to develop a profile of a user that's better than the competition would be able to do with the new Topics API, Protected Audience API, etc and thus even just getting rid of third-party cookies without a replacement might be seen as anti-competitive. This is probably why places like the EU are also forcing services to make it possible to unlink those services and not have the data shared between them.

Not too surprising. I'm not sure I've actually seen anyone adopt their new ad technologies yet and nothing is listed in my browser. If their competition hasn't adopted it but they have, it's definitely anti-competitive for the ad market if they just shut off third-party cookies and only affect other companies (which seems to be what's delaying it with the UK's CMA).

Are there any semi-popular alternative browsers still based on WebKit? I thought most of them like Brave and Vivaldi were based on Chromium's Blink rather than WebKit.

That's likely what they want. If you're not viewing their ads and your third-party app is even blocking all the tracking, then you are not providing any value to them to keep you as a 'customer'. All it does is reduce their hosting and serving costs when you're blocked or when you eventually stop using it.

To be fair, one of the apps mentioned, [Re]Vanced, is literally just the stock app with extra features patched in and the premium features enabled for free (like no ads and downloads). It makes sense that it would be more user friendly. Allowing that modified version doesn't get them any revenue though while still costing them to host and serve the content to those users.

At least with NewPipe it supports multiple sites and is its own app with their own code and UI.

It's definitely trying to be user friendly enough that non-technical users like the family members you mention can use it to replace passwords. For your use case with a strong password and 2FAS to generate a code, it still gets rid of the phishing potential. The main advantage for the other people like your family is that they don't have to type or autofill anything, just select an account to log into or click approve on their phone. A main advantage for the service is that the user's diligence is taken out of the equation for a lot of it and they don't have to worry about a user giving their password and 2FA codes to a phisher. If a user tries to use a passkey at the wrong site (like a phishing site), it won't pop up as an option to select because the domain is wrong.

Passkeys can also help anyone who is using a service in an indirect way. The 23andMe "breach" was due to stolen credentials from other actually breached sites being used to log into accounts that have data shared with them. That 23andMe data was shared to those compromised users by people who may have actually had all their security turned up to the highest settings like 2FA but was nonetheless scraped and obtained by the bad actors anyways. If 23andMe had been using passkeys (or even magic login links in an email), there would have been no credentials from other sources to use against their 23andMe's users. Moving everyone to more secure authentication methods is in the best interest of everyone involved, it's just that typically it was a hassle to have to setup an authenticator app or a password manager for 2FA. Passkeys, when everything is working properly, finally provide both more security and more convenience for the average person than just a password and so people might actually adopt them.

People getting their accounts compromised leads to spam email, spam comments, fake crypto livestreams, etc that impact others. Google definitely has an interest in preventing people from getting their accounts compromised and not just for the benefit of the individuals with the accounts but their platforms as a whole.

Let’s say for example, I am at my friend’s house, and for one reason or another, I don’t have my phone.

If you need to log into your friend's laptop to check your email, you would need your phone or some other passkey you had set up for your account, yes, as long as that was the only login method you have setup on your account. If you don't have your phone, you might not be able to pass the two-factor steps or account login location checks many accounts. If Google finds the new login attempt suspicious for some reason, it will ask for additional checks like a code sent to your email or through a text and you may not be able to log in with just the password anyways. Just because you have the right username and password, it doesn't mean that a service may let you log in without access to some kind of other trusted information accessible on an existing device.

Overall though, think of it like forgetting your physical keys.

Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account?

Yes, the same as if you had left your physical keys there and those keys provided access to all your accounts. There may be some technical protections like the timeout until it locks on a password manager but that's up to the password/passkey manager app to implement and for the OS to guarantee the security of. It's no different from loading up your password manager on the device. If you don't trust the device or the owner of the device, you should not access your password/passkey manager on it.

what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?

The same thing that happens if your password manager is compromised: you secure it (rotate encryption, create a new database, however you want) and then you set about updating new passwords and passkeys for your accounts. That's why it's recommended to only have your actual password/passkey manager on something you trust (your phone, your computer, etc) and use that device as the passkey for whichever other device your logging into rather than loading up your password/passkey manager on each device you're logging into.

A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey?

It's a form of WebAuthn credential most likely, yes. Passkeys aren't actually entirely new in how they can be used with accounts, the standards have been there for a while now. It's mainly just a unified marketing from the big players as well as developing an ecosystem around it the standard such as the protocols for using a phone via Bluetooth as a passkey on a desktop/laptop to log in and other things like syncing the passkeys between devices using their existing password manager services for user convenience (so that the average person can actually use them). Under the hood it's still WebAuthn for the actual authentication. Hardware security keys that connect via USB, Bluetooth, or NFC have been around for a while but have usually operated in nonresident key mode where they've been used for second factor authentication. Nonresident key mode has the advantage of storing the private key in an encrypted format with the website or service your logging into, meaning that the actual hardware key doesn't need to have any storage capacity and can work with an infinite number of sites. This has the disadvantage that you have to provide a username (and typically a first factor like a password) to lookup which keys should be used (ie the ones associated with a specific account). That is probably how your friend logged in with a USB dongle. WebAuthn credentials that operate in resident key mode like passkeys do on the other hand store both the information related to identity and authentication, meaning that all you have to do is select the account you want to log into. This requires that they are stored on a trusted device like a phone, a laptop, or a hardware security key dongle that has storage.

What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?

Again, the same thing that happens when you forget your physical keys for your car or home. You can't access the thing protected by them until you go get them. The alternative is to bypass the normal authentication workflow and work around it, such as with an account recovery process (similar to getting a locksmith to get back into your car or home).

I am all for more security and less password remembering, but I hop around a lot of computers.

Then you'd probably like being able to log in by just unlocking your phone and confirming things, rather than having to go through a password lookup and one time code entering process each time.

One key benefit regarding hacking: the data that's passed back and forth between the user's browser/app and the website/service is a challenge and a response and is no longer sensitive like a password is and the authentication related data (the public key) that the website stores for a user's account isn't useful to an attacker.

One key benefit regarding phishing: passkeys/WebAuthn credentials incorporate the domain name into part of the authentication and it's enforced by the browser. This means that using a passkey/security key on the wrong site won't give an attacker anything useful unless they also somehow control the DNS and have a valid TLS certificate to impersonate the site with. This is unlike the situation with a phishing website where a user can be tricked by a fake but convincing looking website into giving over not just a password but a one time code provided through SMS or a TOTP.

One key benefit regarding usability: The user just has to choose which account to log into from their password manager instead of having it need to autofill correctly on the website (I still run into sites that don't autofill right). They also don't need to worry about any specific password complexity requirements or changing passwords in response to breaches or password expiration times.

Couldn't a site theoretically use a nonresident key with just a username, in place of a password?

This seems to imply it might be possible:

https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html

Discoverable Credential means that the private key and associated metadata is stored in persistent memory on the authenticator, instead of encrypted and stored on the relying party server. If the credentials were stored on the server, then the server would need to return that to the authenticator before the authenticator could decrypt and use it. This would mean that the user would need to provide a username to identify which credential to provide, and usually also a password to verify their identity.

For the accounts that are highly important, you might want to use only keys that are bound to a device like a computer, phone, or hardware security key. This would require a bit of manual management as you swap out devices and hardware keys but for a limited number of important accounts this should be feasible. For all the other general accounts, storing them in a password manager can continue to be the most convenient way to use them. The Google/Apple/Microsoft solutions take this second approach and allow them to be synced across devices.

As for the portability, it's still relatively early and I don't think there's a standardized format to export passkeys into. It's only a matter of time before things settle down and different password/passkey managers support importing and exporting to at least one format that will work.

Passkeys are a way of doing public/private key-pair crypto to prove that you are in possession of the private key that corresponds to the public key that was registered with a site or service when you added the passkey to the account. The use of the passkey is often protected by biometrics like the fingerprint or facial recognition systems on your device but it doesn't necessarily need to use biometrics at all if you don't want to and you can instead use a passcode to unlock your device or password/passkey manager.

Basically instead of the normal way with passwords:

• You ---password---> website
• Website verifies password matches, either directly to an actual stored password (bad) or through a hash they have stored

With passkeys you have:

• You <---challenge--- website
• You sign the challenge with a private key that only you have
• You ---signed challenge ---> website
• Website verifies that the signed challenge corresponds to the public key you provided when you set up the passkey

In the password scenario, the website could be following best practices and hashing the password or it could just be storing them directly and insecurely. You have no idea what really goes on inside their systems. This also means that due to reused passwords, a security breach at one site can mean problems for other sites, even if they didn't do anything wrong.

In the passkey scenario, you're not sending anything particularly sensitive to each site so it's more secure.

Uh, each service only has access to your public key, not the private one that stays with you. It's less risky than a regular password.

Even with U2F hardware keys where the server-side stores the encrypted key (to allow for infinite sites to be used with a single hardware key), it's only decryptable on your key and thus isn't that useful for someone who has compromised a service.

It basically performs the same function as an SSH key (providing public key authentication), yes.

Your issue with logging in on your phone vs laptop can be solved by either syncing them (like the OS/Browser platforms of Google/Apple/Microsoft or a password manager like Proton Pass/Bitwarden do) or by setting up each device separately (like most people should do with SSH keys). Each method comes with trade-offs: syncing means they aren't device bound and can potentially be stolen, setting it up on each device can be a pain, etc.

The important thing to remember is that passkeys don't need to be the only authentication methods attached to an account. You can use the convenience of a passkey most of the time when it's possible and then fall back to another method (like a password/TOTP pair) when that's not available (such as when setting up a new device). There's also always the standard account recovery options if all else fails, those don't necessarily go away.

The other thing to remember is that it's not trying to be a perfectly secure solution to all authentication everywhere but to replace passwords with something better. Not having to generate and store random passwords with arbitrary complexity requirements, being able to log in with just a tap or a click, and not having anything that needs to be kept secret on the website's side can be enough of an improvement over passwords to make the change worthwhile.

Votes are public to not just to the original instance admins though but to any instance admin, right? If you setup your own instance and federate with another, then you should be able to view the votes for any communities on the one you federate with. The only privacy is that the default UI doesn't display it, but a different UI could:

e.g. the one for this post on kbin.social that shows Lemmy upvotes as favorites.

I feel like this should be more prominently disclosed to Lemmy users.

Seems like it was mostly Mastodon people irritated The main issue is that it was opt-out and not opt-in:

https://github.com/snarfed/bridgy-fed/issues/835

https://github.com/snarfed/bridgy-fed/issues?q=opt-out

I don't think the bridge provides the moderation features of Bluesky though.